2 min read

Setting up Application Roles for Azure AD Graph API

Emily Taylor

I've spent some time recently setting up a new Azure AD for testing out the Azure AD Graph Client Library, mostly following along with the the .NET Graph API Web Sample.

Following those steps alone, I ran into a permissions issue when running delete operations:

{ 
    "odata.error": {
        "code":"Authorization_RequestDenied",
        "message": {
            "lang":"en",
            "value":"Insufficient privileges to complete the operation."
        }
    }
}

The solution I found was to add the "User Account Administrator" role to the application using PowerShell cmdlets. Here are the steps I followed (largely borrowed from this article):

First, download and install the Microsoft Online Services Sign-In Assistant. Then download and install the 64-bit Azure Active Directory module for Windows PowerShell.

After you install the PowerShell module, open PowerShell and connect to your tenant. After you run Get-Credential, you will be prompted for a user name and password, Enter the user name and password of your tenant administrator account.

> $msolcred = Get-Credential
> Connect-MsolService -credential $msolcred

NB: If you are dealing with a brand new AD, you will need to add a new AD user with the 'Global Admin' organizational role before you can run this command.

Get-Credential
Find your Application by running Get-MsolServicePrincipal:

> Get-MsolServicePrincipal

Once you have found your application, note down the ObjectId. You need to assign it the permissions it needs to perform user CRUD operations.

Get-MsolServicePrincipal
Assign the application three roles: directory readers (to read users), directory writers (to create and update users), and a user account administrator (to delete users). These roles have well-known identifiers, so you can replace the -RoleMemberObjectId parameter with ObjectId from above and run the following commands.

> Add-MsolRoleMember -RoleObjectId 88d8e3e3-8f55-4a1e-953a-9b9898b8876b -RoleMemberObjectId 42cece49-ff32-4727-a1bb-ce84f0a89991 -RoleMemberType servicePrincipal
> Add-MsolRoleMember -RoleObjectId 9360feb5-f418-4baa-8175-e2a00bac4301 -RoleMemberObjectId 42cece49-ff32-4727-a1bb-ce84f0a89991 -RoleMemberType servicePrincipal
> Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberObjectId 42cece49-ff32-4727-a1bb-ce84f0a89991 -RoleMemberType servicePrincipal 

NB: To see the list of all directory roles, try running Get-MsolRole:

Get-MsolRole
Your application should now have sufficient permissions to perform all Graph API operations. Hopefully this will save someone some time down the track!